NYDFS

New York DFS Cyber Rules Go Live: Here’s Your Roadmap

August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”).  The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments.  While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool.  Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.

While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS.  For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE

Financial Institutions Going First? New York Proposes Mandatory Minimum Cybersecurity Compliance Standards

Cybersecurity Standards Financial Services Institutions

Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions.  The regulations go final after a 45-day notice and public comment period.  At that point, entities regulated by the NYDFS will be subject to the nation’s first proscriptive set of cybersecurity requirements in contrast to the usual risk-based cybersecurity programs mandated by other financial regulators to date.  Thus, unlike previous guidance and reports issued by financial regulators such as FINRA and the SEC, New York’s rules are specific requirements that all regulated financial institutions must adopt..  In this Part I, we review the proposed requirements, and offer some specific steps that regulated financial services institutions should begin to consider for compliance readiness.

READ MORE